Category: Regulatory Compliance & Frameworks

🔒 CIS Controls – The Center for Internet Security

The Center for Internet Security (CIS) provides globally recognised best practices for securing IT systems and data. Their most notable framework is the CIS Controls – a prioritised set of actions that help organisations protect themselves against the most pervasive cyber threats.

---

✅ What is CIS?

CIS (Center for Internet Security) is a non-profit organisation that provides cybersecurity standards and benchmarks, used worldwide to harden systems and improve cyber hygiene. Their mission is to “make the connected world a safer place.”

Their flagship offering is:

• CIS Controls – a set of 18 critical security controls
• CIS Benchmarks – secure configuration baselines for systems, software, and cloud environments

---

🧰 What are the CIS Controls?

The CIS Critical Security Controls (v8) are grouped into three implementation groups (IG1, IG2, IG3), depending on organisational maturity and risk.

Group	Description
IG1 (Basic)	Foundational cyber hygiene – ideal for small/medium organisations
IG2 (Standard)	Adds depth – suited to organisations with moderate resources and risks
IG3 (Advanced)	Designed for mature orgs with complex systems and significant risks

---

🔐 CIS Control Categories (v8)

The 18 controls are:

1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protections
10. Malware Defences
11. Data Recovery
12. Network Infrastructure Management
13. Security Awareness and Skills Training
14. Security Operations Centre (SOC)
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing

Each control includes safeguards (formerly sub-controls) that detail actionable steps, and each is mapped to risk areas and other frameworks like NIST CSF, ISO 27001, and PCI DSS.

---

🚀 Why Use CIS Controls?

• Prioritised: Focuses first on high-impact, achievable defences
• Actionable: Clear, practical steps for implementation
• Mappable: Aligns with other security standards (NIST, ISO, etc.)
• Free: Publicly available and supported by a global community

---

🛠️ How to Use CIS in Your Organisation

1. Download the CIS Controls & Benchmarks
   Get them from the official site: https://cisecurity.org
2. Conduct a Gap Assessment
   Compare your current state against each control and its safeguards.
3. Prioritise by Implementation Group
   Start with IG1 if you’re a small or new organisation. Mature companies should aim for IG2 or IG3.
4. Apply CIS Benchmarks
   Harden operating systems, cloud, and software (e.g. Windows 10, Ubuntu, AWS) using step-by-step CIS benchmark guides.
5. Track Progress
   Use tools like the CIS Controls Assessment Tool (CIS-CAT) to monitor improvements.

---

🔧 Tools That Support CIS

• CIS-CAT Pro (assessment and scoring tool)
• Microsoft Defender, CrowdStrike, Tenable, etc., map detections to CIS Controls
• Cloud providers like AWS, Azure, GCP support CIS benchmarks as compliance standards

---

📦 Where to Get It

• CIS Controls & Benchmarks
• CIS-CAT Tool

---

🛡️ Summary

Implementing CIS Controls is one of the most effective ways to improve your cybersecurity posture quickly and systematically. Whether you’re a small business or an enterprise, CIS gives you a roadmap to reduce risk and meet compliance obligations.

🧰 What Is NIST SP 800-53?

NIST Special Publication 800-53 is a comprehensive framework developed by the National Institute of Standards and Technology (NIST) to help organizations secure their information systems. It provides a catalog of security and privacy controls designed to protect operations, assets, and individuals from threats like cyberattacks, human error, and natural disasters.

🧱 Key Features of NIST 800-53

• Over 1,000 controls organized into 20 control families
• Flexible and customizable for different environments
• Applicable to federal agencies and private organizations
• Supports compliance with laws like FISMA and the Privacy Act

🧩 Control Families Overview

Here are some of the major control families included in Revision 5:

Control Family	Purpose
Access Control (AC)	Restrict system access to authorized users
Audit & Accountability (AU)	Log and monitor system activity
Configuration Management (CM)	Maintain secure system settings
Incident Response (IR)	Detect and respond to security events
Risk Assessment (RA)	Identify and evaluate potential threats
System & Communications Protection (SC)	Safeguard data in transit and at rest
Supply Chain Risk Management (SR)	Address risks from third-party vendors

🧪 Example Use Case

A healthcare provider handling patient data might implement:

• Access Control (AC) to limit who can view medical records
• Audit Logs (AU) to track who accessed sensitive data
• Encryption (SC) to protect data during transmission

🛡️ Why It Matters

Implementing NIST 800-53 helps organizations:

• Strengthen cybersecurity posture
• Meet federal compliance requirements
• Protect sensitive data and privacy
• Build trust with stakeholders and clients

📚 Further Reading

• NIST SP 800-53 Official Publication
• Secureframe’s Guide to NIST 800-53
• SecurityScorecard’s Framework Overview

ISO/IEC 42001 is the first international standard focused on establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). It helps organisations manage risks and responsibilities unique to the development and use of AI.

---

🤖 What Is ISO/IEC 42001?

Published in December 2023 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 42001 provides a structured framework for governing AI systems in a responsible, transparent, and risk-aware manner.

It is designed for any organisation — public or private — that develops, deploys, or relies on AI, offering guidance to meet ethical, legal, and technical challenges posed by AI technologies.

---

🎯 Purpose and Scope

The aim of ISO/IEC 42001 is to:

• Support responsible AI governance
• Ensure trustworthiness, transparency, and accountability
• Provide controls to mitigate AI-related risks
• Align AI development with ethical and regulatory expectations

The standard applies to:

• AI solution providers
• AI integrators
• Enterprises using AI-driven tools
• Organisations with AI in safety-critical, regulated, or high-risk domains

---

🧱 Key Components

ISO/IEC 42001 follows a Plan-Do-Check-Act (PDCA) model and includes requirements around:

1. AI Governance Structure
Define roles, responsibilities, and oversight for AI initiatives.

2. AI Risk Management
Identify, evaluate, and mitigate risks associated with bias, safety, privacy, and security in AI systems.

3. Transparency and Explainability
Implement controls to ensure AI decisions can be understood and justified by stakeholders.

4. Data Quality and Management
Ensure datasets used in AI training and inference are accurate, representative, and compliant with privacy requirements.

5. Lifecycle Controls
Manage AI systems across their full lifecycle — from design to decommissioning.

6. Human Oversight
Promote meaningful human control over AI systems to prevent unintended or unethical outcomes.

7. Stakeholder Engagement
Communicate AI-related policies, risks, and benefits to internal and external stakeholders.

8. Continuous Improvement
Monitor performance, track non-conformities, and adapt AI processes as technology and regulation evolve.

---

🛡️ Why Adopt ISO/IEC 42001?

• ✅ Demonstrate ethical and responsible AI use
• ✅ Align with global AI regulations and guidelines
• ✅ Improve stakeholder trust
• ✅ Identify and mitigate AI-specific risks
• ✅ Integrate AI governance into existing ISO management systems (e.g. ISO 27001, ISO 9001)

---

🔗 Relationship to Other Standards

ISO/IEC 42001 can be integrated with other standards such as:

• ISO/IEC 27001 (Information Security)
• ISO 31000 (Risk Management)
• ISO/IEC 23894 (AI Risk Management Guidelines)

Together, they create a comprehensive framework for managing not just AI, but the full range of digital and organisational risks.

---

📄 Certification & Adoption

Organisations can work toward ISO/IEC 42001 certification to demonstrate maturity in AI governance. Certification may become increasingly valuable (or required) as AI regulations like the EU AI Act come into force.

---

🔗 Learn More

• ISO Official: https://www.iso.org/standard/81230.html
• IEC Info: https://www.iec.ch/
• EU AI Act Overview: https://artificialintelligenceact.eu

---

✅ Summary

ISO/IEC 42001 sets the foundation for managing AI responsibly and transparently. As AI adoption grows, this standard offers a much-needed framework to help organisations align with regulation, build trust, and reduce risk — while still fostering innovation.

It’s a key tool for anyone serious about integrating AI ethics and governance into their operational processes.

⚖️ Regulatory Compliance Standards: At a Glance

In an increasingly regulated digital landscape, understanding and aligning with key cybersecurity and data protection standards is essential for organisations of all sizes. Below is a summary of major regulatory and compliance frameworks relevant to IT, data security, and cloud infrastructure professionals.

---

📄 Index of Key Compliance Standards

💳 PCI DSS: Payment Card Industry Data Security Standard

PCI DSS is a global security standard designed to protect cardholder data and reduce credit card fraud. Any organisation that stores, processes, or transmits cardholder data must comply — making PCI DSS a core concern for cybersecurity teams.

---

📘 What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements created to safeguard payment card data.

• Developed by: PCI Security Standards Council (founded by Visa, MasterCard, American Express, Discover, and JCB)
• Current version: PCI DSS v4.0 (released March 2022)
• Purpose: Ensure safe handling of credit card data and prevent breaches

---

🧭 Why Does PCI DSS Exist?

PCI DSS was introduced to:

• Prevent payment card fraud
• Reduce risks caused by weak security in payment systems
• Standardise security practices across merchants, service providers, and processors

---

👥 Who Does PCI DSS Affect?

PCI DSS applies to:

🏢 Merchants

Any organisation that accepts card payments — online or in-store — regardless of size or transaction volume.

🔄 Service Providers

Third parties involved in storing, processing, or transmitting cardholder data (e.g. payment gateways, hosting providers, managed service providers).

Note: There is no “PCI certification” for software or platforms — compliance is always the responsibility of the entity handling the card data.

---

🛡️ What Is Protected Under PCI DSS?

Cardholder Data (CHD):

• Primary Account Number (PAN)
• Cardholder name
• Expiration date
• Service code

Sensitive Authentication Data (SAD):

• Full magnetic stripe / chip data
• CVV/CVC codes
• PINs and PIN blocks

Storing SAD after authorisation is strictly prohibited.

---

📋 Core PCI DSS Requirements

PCI DSS includes 12 requirements, grouped into 6 control objectives:

---

🔐 Build and Maintain a Secure Network

1. Install and maintain a firewall configuration
2. Do not use vendor-supplied defaults for system passwords

🔒 Protect Cardholder Data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

🧑‍💼 Maintain a Vulnerability Management Program

5. Protect all systems against malware
6. Develop and maintain secure systems and applications

👥 Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data

📊 Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Test security systems and processes regularly

📖 Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

---

⚙️ How to Implement PCI DSS Compliance

✅ 1. Determine Your PCI Level

• PCI compliance is based on your annual transaction volume.
• Level 1 (over 6 million transactions/year) requires a formal audit by a Qualified Security Assessor (QSA).

✅ 2. Scope Your Environment

• Identify systems and processes that handle CHD
• Limit scope by network segmentation

✅ 3. Implement Required Controls

• Firewalls, encryption (TLS 1.2+), anti-malware, logging, intrusion detection
• Strong authentication (e.g. MFA for admins)

✅ 4. Complete a Self-Assessment Questionnaire (SAQ)

• For merchants that don’t require full audits
• Several SAQ types depending on how payments are handled (e.g. e-commerce, POS, hosted forms)

✅ 5. Conduct Vulnerability Scanning

• Quarterly ASV scans from an Approved Scanning Vendor
• Remediate vulnerabilities and retain reports

✅ 6. Maintain Logs and Monitoring

• Centralised logging (e.g. Splunk)
• Retain logs for at least one year

✅ 7. Train Staff

• Educate teams on handling cardholder data securely
• Include phishing awareness and secure coding practices

---

🧰 Tools That Support PCI DSS Compliance

• Wazuh / Splunk – Logging, alerting, and file integrity monitoring
• AWS Config / Azure Policy – Enforce secure configurations in cloud
• Tenable / Qualys – Vulnerability management
• HashiCorp Vault / AWS KMS – Encryption key management
• CrowdStrike / SentinelOne – Endpoint protection

---

🚨 Non-Compliance Consequences

Failure to comply can result in:

• Hefty fines ($5,000 to $100,000/month)
• Termination of merchant accounts
• Mandatory forensic audits
• Damage to brand trust and customer confidence

📊 SOX: Sarbanes-Oxley Compliance for IT and Security Professionals

The Sarbanes-Oxley Act (SOX) is a U.S. federal law focused on improving corporate transparency and preventing financial fraud. It has major implications for IT and cybersecurity teams involved in data integrity, access controls, and audit readiness.

---

📘 What Is SOX?

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) was passed in response to a series of high-profile accounting scandals (e.g. Enron, WorldCom) that shook investor confidence.

• Full name: Public Company Accounting Reform and Investor Protection Act
• Signed into law: July 30, 2002
• Primary focus: Financial reporting, internal controls, and accountability

---

🧭 Why Does SOX Exist?

SOX was introduced to:

• Improve the accuracy and reliability of corporate disclosures
• Protect shareholders and the public from accounting errors and fraud
• Increase executive accountability and reduce conflicts of interest
• Strengthen audit practices and internal financial controls

---

👥 Who Does SOX Affect?

SOX compliance is mandatory for:

🏢 Public Companies:

• All publicly traded U.S. companies listed on U.S. stock exchanges
• Foreign companies with U.S.-listed securities

🔄 Supporting Roles:

• IT departments, cybersecurity teams, and finance departments involved in managing and protecting financial systems

👨‍💼 Executives:

• CEOs and CFOs must certify the accuracy of financial reports under penalty of criminal liability

---

🔐 SOX & Cybersecurity: What’s the Connection?

While SOX doesn’t prescribe specific cybersecurity practices, it requires controls over the integrity, confidentiality, and availability of financial data. This means:

• Access control systems
• Audit logs
• Data backup & recovery
• Change management
• Cyber incident response

These elements are critical for supporting Section 404, which deals with internal control over financial reporting (ICFR).

---

📂 Key SOX Sections Relevant to IT & Security

📑 Section 302 – Corporate Responsibility for Financial Reports

• Executives must personally certify financial disclosures
• Requires internal controls and fraud detection measures

🧮 Section 404 – Management Assessment of Internal Controls

• Requires documentation, testing, and assessment of internal controls
• Auditors must attest to the effectiveness of these controls

🧾 Section 409 – Real-Time Issuer Disclosures

• Companies must disclose material financial changes rapidly
• Emphasises the importance of data accuracy and timely access

---

⚙️ How to Implement SOX Compliance from an IT Perspective

✅ 1. Establish and Document Internal Controls

• Use control frameworks like COSO or COBIT
• Define roles, responsibilities, and procedures for financial systems

✅ 2. Restrict and Audit Access to Financial Data

• Implement role-based access control (RBAC) and least privilege
• Maintain audit logs of user activity, file access, and changes

✅ 3. Implement Change Management

• All changes to financial systems must be logged, reviewed, and approved
• Use version control and automation tools for traceability

✅ 4. Ensure Data Integrity

• Validate data inputs and calculations in financial applications
• Use checksums or hash functions where needed

✅ 5. Perform Regular Backups and Recovery Tests

• Back up financial data securely and test restoration processes
• Meet retention requirements for audit and legal compliance

✅ 6. Monitor Systems and Respond to Incidents

• Deploy SIEM tools (e.g. Splunk, ELK) to detect anomalies
• Integrate incident response plans with SOX audit readiness

---

🧰 Tools That Support SOX Compliance

• Splunk or Elastic – Centralise logs, create audit trails
• AWS CloudTrail / Azure Monitor – Monitor changes in cloud environments
• SailPoint / Okta – Identity governance and access certification
• Veeam, Druva – Backup and restore solutions with audit capabilities
• Atlan / Collibra – Data cataloguing and control documentation

---

🚨 Consequences of Non-Compliance

Non-compliance can result in:

• Civil and criminal penalties for executives
• Fines up to $5 million and/or 20 years in prison
• Delisting from stock exchanges
• Loss of public trust and reputational damage

🏥 HIPAA: Understanding U.S. Healthcare Data Protection

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data in the United States. For cybersecurity professionals and service providers, understanding HIPAA is critical when handling healthcare information.

---

📘 What Is HIPAA?

HIPAA is a U.S. federal law enacted in 1996 designed to:

• Protect the privacy and security of individuals’ health information
• Improve the efficiency of healthcare data processing
• Ensure health insurance coverage continuity when people change or lose jobs

HIPAA is enforced by the U.S. Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR).

---

🧭 Why Does HIPAA Exist?

HIPAA was introduced to address:

• The increasing digitisation of healthcare records
• Rising concerns about data breaches and patient privacy
• The need for a nationwide standard for handling Protected Health Information (PHI)

It balances the use of health information for patient care and innovation, with individual privacy rights.

---

👥 Who Does HIPAA Affect?

HIPAA applies to:

📌 Covered Entities:

• Healthcare providers (e.g., hospitals, doctors, clinics)
• Health plans (e.g., insurers, HMOs)
• Healthcare clearinghouses (e.g., billing processors)

🔄 Business Associates:

• Vendors or subcontractors handling PHI on behalf of a covered entity (e.g., cloud storage providers, IT contractors, analytics firms)

Note: Business associates must sign a Business Associate Agreement (BAA) and are directly liable for HIPAA compliance.

---

📂 What Is Protected Health Information (PHI)?

PHI includes any health information that can identify an individual, such as:

• Names, addresses, dates of birth
• Medical records, diagnoses, treatment info
• Billing details, insurance numbers
• Biometric or genetic data

If it’s identifiable and relates to health, it’s protected under HIPAA.

---

🧱 HIPAA Rules and Requirements

HIPAA is structured around four key rules:

1. Privacy Rule

• Governs how PHI is used and disclosed
• Gives patients control over their health data

2. Security Rule

• Sets standards for protecting electronic PHI (ePHI)
• Requires administrative, technical, and physical safeguards

3. Breach Notification Rule

• Mandates disclosure of PHI breaches to:
  • Affected individuals
  • HHS OCR
  • In some cases, the media

4. Enforcement Rule

• Details how HIPAA violations are investigated and penalised
• Fines can range from $100 to $1.5 million per violation category, per year

---

⚙️ How to Implement HIPAA Compliance

✅ 1. Perform a Risk Assessment

• Identify threats to confidentiality, integrity, and availability of ePHI
• Document vulnerabilities and mitigation plans

✅ 2. Apply the Required Safeguards

Administrative

• Policies, training, and workforce management

Technical

• Access controls, encryption, secure transmission, audit logs

Physical

• Facility access controls, workstation security

✅ 3. Implement Role-Based Access Controls (RBAC)

• Limit access to ePHI based on job functions
• Apply the principle of least privilege

✅ 4. Encrypt ePHI in Transit and at Rest

• Use AES-256 encryption for data storage and HTTPS/TLS for communications

✅ 5. Monitor and Log Access

• Maintain detailed audit logs
• Use SIEM tools (e.g., Splunk, Elastic) for continuous monitoring

✅ 6. Train Your Workforce

• Provide annual HIPAA security and privacy training
• Maintain records of completed training

✅ 7. Sign Business Associate Agreements (BAAs)

• Required for all vendors handling ePHI
• Must include security requirements and breach notification clauses

---

🔧 Tools That Support HIPAA Compliance

• AWS, Azure, Google Cloud – offer HIPAA-eligible services (with signed BAA)
• Splunk – audit trail and compliance reporting
• Atlan or Collibra – governance and data lineage for PHI
• Veeam, Rubrik – encrypted backup and disaster recovery for healthcare data

---

🚨 What Happens If You Don’t Comply?

Violations can lead to:

• Civil penalties: Up to $1.5 million per year
• Criminal charges: Fines and imprisonment for wilful neglect
• Reputational damage: Loss of patient trust and business opportunities

🔐 GDPR: A Guide for Cybersecurity and Compliance Professionals

The General Data Protection Regulation (GDPR) is a landmark data privacy law that reshaped how organisations handle personal data. This page explains what GDPR is, why it was introduced, who it affects, and how it can be implemented effectively.

---

📘 What Is GDPR?

The General Data Protection Regulation (EU) 2016/679 is a European Union law that governs how organisations collect, process, and protect the personal data of individuals.

• Came into force: 25 May 2018
• Applies to: Any organisation handling personal data of EU/EEA residents, regardless of the company’s location
• Main goal: To give individuals control over their personal data and to harmonise data protection laws across the EU

---

🧭 Why Does GDPR Exist?

GDPR was introduced to:

• Protect personal data in an era of digital transformation and global data exchange
• Increase transparency and accountability from companies handling user data
• Strengthen trust between organisations and individuals
• Standardise data protection laws across all EU member states

---

👥 Who Does GDPR Affect?

GDPR applies to:

🏢 Organisations:

• EU-based companies, regardless of where data processing occurs
• Non-EU companies that offer goods/services to or monitor behaviour of EU residents (e.g. tracking user behaviour with cookies)

🙋 Individuals:

• EU and EEA residents whose personal data is collected, stored, or processed

---

📋 Key Rights for Individuals

GDPR gives individuals eight key rights, including:

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure (right to be forgotten)
5. Right to restrict processing
6. Right to data portability
7. Right to object
8. Rights related to automated decision-making and profiling

---

⚙️ How to Implement GDPR in Your Organisation

Implementing GDPR requires both technical and organisational measures. Below is a high-level checklist to get started:

✅ 1. Data Mapping

• Identify what personal data is collected, where it’s stored, and how it’s processed
• Classify data according to sensitivity

✅ 2. Legal Basis for Processing

• Determine the lawful basis (e.g. consent, contract, legal obligation) for each data processing activity

✅ 3. Privacy Policies

• Ensure clear and accessible privacy notices are in place for users and employees

✅ 4. Security Controls

• Implement encryption, access control, data minimisation, and secure data storage
• Use logging and monitoring (e.g. AWS CloudTrail, Splunk) to detect unauthorised access

✅ 5. Subject Rights Processes

• Develop procedures for handling access requests, rectification, erasure, and data portability

✅ 6. Data Breach Readiness

• Define a breach response plan and notification procedures
• Report qualifying breaches to supervisory authorities within 72 hours

✅ 7. Vendor Management

• Assess third-party processors for GDPR compliance
• Sign Data Processing Agreements (DPAs) with service providers

✅ 8. Training & Awareness

• Regularly train employees on GDPR, privacy best practices, and reporting mechanisms

✅ 9. Appoint a DPO (if required)

• A Data Protection Officer is mandatory for certain organisations, especially those processing large-scale sensitive data

---

🚨 Penalties for Non-Compliance

Organisations in breach of GDPR can face fines of up to:

• €20 million or
• 4% of annual global turnover – whichever is higher

---

🧰 Useful Tools for GDPR Compliance

• AWS Macie / Azure Purview – Discover and classify personal data
• Splunk – Monitor and audit data access
• Atlan – Manage data governance and access
• Privacy Impact Assessment (PIA) templates – Evaluate risk of data processing